Home | History | Annotate | Download | only in hostapd 
      1 # hostapd user database for integrated EAP server
      2 
      3 # Each line must contain an identity, EAP method(s), and an optional password
      4 # separated with whitespace (space or tab). The identity and password must be
      5 # double quoted ("user"). Password can alternatively be stored as
      6 # NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password
      7 # in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means
      8 # that the plaintext password does not need to be included in the user file.
      9 # Password hash is stored as hash:<16-octets of hex data> without quotation
     10 # marks.
     11 
     12 # [2] flag in the end of the line can be used to mark users for tunneled phase
     13 # 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous
     14 # identity can be used in the unencrypted phase 1 and the real user identity
     15 # is transmitted only within the encrypted tunnel in phase 2. If non-anonymous
     16 # access is needed, two user entries is needed, one for phase 1 and another
     17 # with the same username for phase 2.
     18 #
     19 # EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA do not use
     20 # password option.
     21 # EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a
     22 # password.
     23 # EAP-PEAP, EAP-TTLS, and EAP-FAST require Phase 2 configuration.
     24 #
     25 # * can be used as a wildcard to match any user identity. The main purposes for
     26 # this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to
     27 # avoid having to configure every certificate for EAP-TLS authentication. The
     28 # first matching entry is selected, so * should be used as the last phase 1
     29 # user entry.
     30 #
     31 # "prefix"* can be used to match the given prefix and anything after this. The
     32 # main purpose for this is to be able to avoid EAP method negotiation when the
     33 # method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This
     34 # is only allowed for phase 1 identities.
     35 #
     36 # Multiple methods can be configured to make the authenticator try them one by
     37 # one until the peer accepts one. The method names are separated with a
     38 # comma (,).
     39 #
     40 # [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP
     41 # version based on the Phase 1 identity. Without this flag, the EAP
     42 # authenticator advertises the highest supported version and select the version
     43 # based on the first PEAP packet from the supplicant.
     44 #
     45 # EAP-TTLS supports both EAP and non-EAP authentication inside the tunnel.
     46 # Tunneled EAP methods are configured with standard EAP method name and [2]
     47 # flag. Non-EAP methods can be enabled by following method names: TTLS-PAP,
     48 # TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2. TTLS-PAP and TTLS-CHAP require a
     49 # plaintext password while TTLS-MSCHAP and TTLS-MSCHAPV2 can use NT password
     50 # hash.
     51 #
     52 # Arbitrary RADIUS attributes can be added into Access-Accept packets similarly
     53 # to the way radius_auth_req_attr is used for Access-Request packet in
     54 # hostapd.conf. For EAP server, this is configured separately for each user
     55 # entry with radius_accept_attr=<value> line(s) following the main user entry
     56 # line.
     57 
     58 # Phase 1 users
     59 "user"		MD5	"password"
     60 "test user"	MD5	"secret"
     61 "example user"	TLS
     62 "DOMAIN\user"	MSCHAPV2	"password"
     63 "gtc user"	GTC	"password"
     64 "pax user"	PAX	"unknown"
     65 "pax.user (a] example.com"	PAX	0123456789abcdef0123456789abcdef
     66 "psk user"	PSK	"unknown"
     67 "psk.user (a] example.com"	PSK	0123456789abcdef0123456789abcdef
     68 "sake.user (a] example.com"	SAKE	0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
     69 "ttls"		TTLS
     70 "not anonymous"	PEAP
     71 # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes
     72 "0"*		AKA,TTLS,TLS,PEAP,SIM
     73 "1"*		SIM,TTLS,TLS,PEAP,AKA
     74 "2"*		AKA,TTLS,TLS,PEAP,SIM
     75 "3"*		SIM,TTLS,TLS,PEAP,AKA
     76 "4"*		AKA,TTLS,TLS,PEAP,SIM
     77 "5"*		SIM,TTLS,TLS,PEAP,AKA
     78 "6"*		AKA'
     79 "7"*		AKA'
     80 "8"*		AKA'
     81 
     82 # Wildcard for all other identities
     83 *		PEAP,TTLS,TLS,SIM,AKA
     84 
     85 # Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
     86 "t-md5"		MD5	"password"	[2]
     87 "DOMAIN\t-mschapv2"	MSCHAPV2	"password"	[2]
     88 "t-gtc"		GTC	"password"	[2]
     89 "not anonymous"	MSCHAPV2	"password"	[2]
     90 "user"		MD5,GTC,MSCHAPV2	"password"	[2]
     91 "test user"	MSCHAPV2	hash:000102030405060708090a0b0c0d0e0f	[2]
     92 "ttls-user"	TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2	"password"	[2]
     93 
     94 # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes in phase 2
     95 "0"*		AKA	[2]
     96 "1"*		SIM	[2]
     97 "2"*		AKA	[2]
     98 "3"*		SIM	[2]
     99 "4"*		AKA	[2]
    100 "5"*		SIM	[2]
    101 "6"*		AKA'	[2]
    102 "7"*		AKA'	[2]
    103 "8"*		AKA'	[2]
    104